[eluser]charlie spider[/eluser]
here's my upload function from my current project:
Code:
function do_upload()
{
$this->load->model('Boot_model');
$config['upload_path'] = './uploads/';
$config['allowed_types'] = 'jpg';
$config['overwrite'] = 'TRUE';
$this->load->library('upload', $config);
$this->load->library('image_lib');
if ( ! $this->upload->do_upload() )
{
$this->validation->error_string .= $this->upload->display_errors();
$this->boot( $this->input->post('bootID') );
}
else
{
$upload_data = $this->upload->data();
foreach( $upload_data as $item => $value ) { $filedata[$item] = $value; }
$img4db = md5( $this->input->post('bootNmbr_Name') . $this->input->post('whchimg') . 'salt_phrase') ; //scrambles the file name
if ( $filedata['is_image'] )
{
// create fullsize original
$resize_config['image_library'] = 'GD2';
$resize_config['source_image'] = $upload_data['full_path'];
$resize_config['maintain_ratio'] = TRUE;
$resize_config['create_thumb'] = FALSE;
$resize_config['quality'] = 100;
$resize_config['new_image'] = './uploads/' . $img4db . '_full.jpg'; // './uploads/' . $filedata['file_name'];
$this->image_lib->initialize($resize_config);
if ( !$this->image_lib->resize() )
{
//echo $this->image_lib->display_errors('<p>', '</p>');
$this->validation->error_string .= $this->image_lib->display_errors();
}
// resize original to 300 x 300 for CMS backend
$resize_config['image_library'] = 'GD2';
$resize_config['source_image'] = $upload_data['full_path'];
$resize_config['maintain_ratio'] = TRUE;
$resize_config['create_thumb'] = FALSE;
$resize_config['quality'] = 100;
$resize_config['width'] = 300;
$resize_config['height'] = 300;
$resize_config['new_image'] = './uploads/' . $img4db . '_cms.jpg'; // './uploads/' . $filedata['file_name'];
$this->image_lib->initialize($resize_config);
if ( !$this->image_lib->resize() )
{
//echo $this->image_lib->display_errors('<p>', '</p>');
$this->validation->error_string .= $this->image_lib->display_errors();
}
// create thumb
$thumb_config['image_library'] = 'GD2';
$thumb_config['source_image'] = $upload_data['full_path'];
$thumb_config['maintain_ratio'] = TRUE;
$thumb_config['thumb_marker'] = '_thumb';
$thumb_config['create_thumb'] = TRUE;
$thumb_config['quality'] = 100;
$thumb_config['width'] = 40;
$thumb_config['height'] = 40;
$thumb_config['new_image'] = './uploads/' . $img4db . '.jpg'; // './uploads/' . $filedata['file_name'];
$this->image_lib->initialize($thumb_config);
if ( !$this->image_lib->resize() )
{
$this->validation->error_string .= $this->image_lib->display_errors();
}
unlink($resize_config['source_image']); //delete source image
if( !$this->Boot_model->update_boot_pic( $this->input->post('bootID'), $this->input->post('whchimg'), $img4db, $upload_data['raw_name'] ) )
{
$this->validation->error_string .= 'An error occured while attempting to update ' . $this->input->post('whchimg');
}
}
else
{
$this->validation->error_string .= $this->image_lib->display_errors();
}
$goBack = 'cms/boot/' . $this->input->post('bootID');
redirect($goBack, 'refresh');
}
}
i store the original image name in the database as well as the scrambled ( md5 + salted ) version. Then to display an image on the site i send the original filename to a script that retreives the scrambled filename from the database, then sends the headers and streams the image to the browser. From the site visitor's perspective, they never see the scrambled filename and therefore can't reference any hacker laced files they've uploaded.
